The present invention relates to retail transaction authorization systems and, particularly, relates to card reader modules used in such systems.
Retail transaction processing systems conventionally offer customer several different methods of payment. Payment options commonly include one or more types of payment cards. Such cards include magnetic-stripe credit and debit cards. To effect payment for a transaction, a customer causes the retail transaction processing system to read information from their payment card, such as by xe2x80x9cswipingxe2x80x9d the card in a magnetic card reader or placing the card in a bar-code scanner. An exemplary bar-code scanning system may be found in Applicant""s U.S. Pat. No. 6,062,473, entitled xe2x80x9cBar Code Reader Systemxe2x80x9d and incorporated herein by reference. In turn, the retail transaction processing system contacts an outside authorization network, submits the payment information obtained from the card, and allows or disallows the customer transaction based on return authorization information.
Frequently, a customer must enter a personal identification number referred to as a xe2x80x9cPINxe2x80x9d and the retail transaction processing system transmits this PIN to the outside authorization network for verification. As the primary value of PIN use is fraud prevention, providing secure PIN handling within the retail transaction processing system is critical. U.S. Pat. Nos. 5,228,084, 5,384,850, and 5,448,638, all issued to Johnson, et al., and having the same Assignee as the Applicant""s present invention, detail secure PIN handling apparatus and encryption techniques in the context of a fuel dispensing system and the disclosures of these named patents are incorporated herein by reference.
In general, the aforementioned patents relate to a fuel dispensing system providing secure PIN entry at a fuel dispenser, the PIN being entered into a keypad in or proximate to the fuel dispenser. The keypad includes electronics for encrypting the PIN information using a local key. Encrypted PIN information is then passed to a site controller, which may manage the operations of one or more fuel dispensers. The site controller cooperates with a security module, with the security module providing PIN decryption capabilities to decrypt the PIN received from the fuel dispenser using a local key. After decryption, the security module re-encrypts the PIN, this time using a network key. Re-encrypted PIN information is then transferred from the site controller to an outside authorization network for PIN verification. This technique allows the network encryption key information to remain within the essentially tamper-proof secure security module rather than it residing in the less secure electronic environment of the fuel dispenser.
Newer types of payment cards, such as electronic smart cards, have the capability to securely store verification information within the card itself. Thus, a retail transaction processing system capable of interfacing with a smart card may obtain transaction authorization based on information contained in the smart card itself. This allows so-called off-line transaction processing. In an off-line transaction, the retail transaction processing system need not communicate with an outside authorization network in real time. Rather, verification and authorization activities occur locally between the retail transaction processing system and the customer""s smart card, with the retail transaction system reconciling transaction charges with the outside authorization network at a later time. Localized transaction authorization still requires positive identification of the customer and, as such, the customer is commonly required to enter a PIN in conjunction with use of their smart card. After inputting by the customer, this PIN information is transferred to the smart card, where its internal processing capabilities allow for comparison of the input PIN with stored PIN information contained in the smart card""s memory.
Previous designs require transfer of input PIN information to the smart card interface in an unencrypted formatxe2x80x94known as an xe2x80x9cin the clearxe2x80x9d transfer. Because of the sensitive nature of PIN information, such designs use PIN entry devices that are generally designed in a manner that prevents physical tampering with the device for the purpose of illicitly gaining access to unencrypted PIN information input by customers. Since the input PIN information must be securely conveyed to the smart card interface so that it can be communicated to the smart card itself, past smart card interfaces integrated the PIN entry device into a common, physically secure housing. In so doing, the potential for fraud is reduced by eliminating any physically accessible wiring or communications link between the PIN entry device and the smart card interface. However, such integration is not without drawbacks.
Integrating a PIN entry device, such as a keypad, into the smart card reader complicates the overall physical design of the card reader. These design challenges are exacerbated by the fact that overall construction of the smart card reader must be substantially tamper-resistant. Tamper-resistant construction of the card reader/keypad modules significantly complicates field servicing. This is particularly unfortunate, as any system subjected to daily and sometimes careless use by consumers, will fail eventually. Integrating a keypad with a smart card reader has the further drawback of limiting placement options for the keypad/card reader combination within retail transaction processing systems.
Thus, separating the card reader module from the PIN entry device offers several distinct advantages. The PIN entry device, which may be more prone to failure than the card reader module, may be made a separate, independently replaceable component in the transaction processing system. However, entering a PIN into a physically separate device introduces an opportunity for fraud because the customer PIN information must be conveyed between different devices, which may be physically separated by several meters or more.
To eliminate this opportunity for fraud, PIN information is encrypted at its point of entry, e.g., in the input keypad. The card reader module of the present invention includes an interface adapted to receive this encrypted PIN information, along with processing capabilities necessary to decrypt such information. Thus, the present invention allows physical separation of the card reader module from the PIN entry device without compromising overall PIN handling security.
A card reader module for inclusion within a retail transaction processing system provides off-line transaction authorization capability based on processing encrypted PIN information. The card reader module includes a communications interface for receiving encrypted PIN information from another sub-system within the retail transaction processing system and a card interface for communicating with a customer payment card having stored PIN verification information and processing capabilities, such as an electronic smart card. A customer desiring to pay for a transaction using this type of payment card inputs their PIN into an encrypting device for secure transfer to the card reader module. In a preferred embodiment, the card reader module decrypts the received PIN information and provides the decrypted information to the customer payment card, thereby allowing it to determine the validity of the entered PIN information. Based on information returned from the customer payment card, the card reader module provides authorization information to other elements in the retail transaction processing system.
By including PIN decryption processing within the card reader module of the present invention, it may be separated from other elements in the retail transaction processing system without compromising PIN security. For example, an encrypting keypad may be used to receive customer-input PIN information. Once encrypted by the keypad, this secure PIN information may be transferred to the card read module without requiring special security precautions regarding the communications link, e.g., wiring, between the keypad and the card reader modulo. Conventionally, PIN entry devices are physically integrated into card reader modules in a tamper-proof manner. This integration complicates placement of the integrated module within a customer interface included in the retail transaction processing system and increases service complexity and cost because a failure of either the PIN-entry device or card reader requires replacement of the entire tamper-proof assembly. Providing a separate card reader module with PIN decryption capabilities solves these aforementioned problems and preserves PIN security.
A preferred embodiment of the present invention includes a fuel dispenser associated with a card reader module of the present invention. An encrypting keypad, also associated with the fuel dispenser, permits customers to input PIN information that is securely transferred to the card reader module. Based on providing a customer payment card with the decrypted PIN information, the card reader module obtains authorization for a fueling transaction from the customer payment card without requiring a communications link to an outside authorization network.